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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

In re Application of: William E. Duncan et al. Examiner: Pramila Parthasarathy 

Serial No.: 09/774,001 Group Art Unit: 2136 

Filed: January 31, 2001 Docket: 105.203US1 

For: SYSTEM AND METHOD FOR PROVIDING EXPANDABLE PROXY 
FIREWALL SERVICES 

APPEAL BRIEF UNDER 37 CFR S 41.37 

Mail Stop Appeal Brief- Patents 
Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Sir: 

The Appeal Brief is presented in support of the Notice of Appeal to the Board of 
Patent Appeals and Interferences, filed on August 25, 2005, from the Final Rejection of 
claims 1-24 and 26-27 of the above-identified application, as set forth in the Final Office 
Action mailed on March 25, 2005. 

The Commissioner of Patents and Trademarks is hereby authorized to charge 
Deposit Account No. 19-0743 in the amount of 250.00 which represents the requisite fee 
set forth in 37 C.F.R. § 41 .2(b)(2). The Appellants respectfully request consideration and 
reversal of the Examiner's rejections of pending claims. 
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[Synopsis of changes from previous rules: 

• Submit only a single copy of the appeal brief 37 CFR § 4137(a) 

• The requirement to identify related appeals and interferences is expanded to 
include related judicial proceedings, both prior and pending appeals, 
interferences, and judicial proceedings, 37 CFR § 41.37(c)(1)(H). 

• Copies of any decisions rendered in related proceedings need to be included in 
the Related Proceedings Appendix. 37 CFR § 4L37(c)(l)(x). 

• The requirement to identify claim status now includes the claim statuses (rejected, 
allowed or confirmed, withdrawn, objected to, canceled). 37 CFR § 

4 1.3 7(C)(1) (Hi) 

• The summary of the claimed subject matter must be a more concise explanation 
than previously required 37 CFR § 41.379(C)(l)(v). 

• There is no longer a requirement to group the claims. 

• A listing of any evidence relied on by the appellant in the appeal, together with a 
statement setting forth where the evidence was entered in the record by the 
Examiner. 37 CFR § 4137 (c)(1) (ix).j 
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reversal of the Examiner's rejections of pending claims. 
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1. REAL PARTY IN INTEREST 

The real party in interest of the above-captioned patent application is the assignee, 
SECURE COMPUTING CORPORATION. 



APPEAL BRIEF UNDER 37 C.F.R. § 41.37 Page 3 

Serial Number: 09/774,001 Dkt: 105.203US1 

Filing Date: January 31, 2001 

Title: SYSTEM AND METHOD FOR PROVIDING EXPANDABLE PROXY FIREWALL SERVICES 



2. RELATED APPEALS AND INTERFERENCES 



There are no other appeals or interferences known to Appellant that will have a 
bearing on the Board's decision in the present appeal. 
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3. STATUS OF THE CLAIMS 

The present application was filed on January 31, 2001 with claims 1-26. A non- 
final Office Action was mailed June 24, 2004. A Final Office Action (hereinafter "the 
Final Office Action") was mailed March 25, 2005. 

Claims 1-24 and 26 stand twice rejected. Claim 25 has been canceled while claim 
27 has been rejected once. Claims 1-24, 26 and 27 remain pending and are the subject of 
the present Appeal. 
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4. STATUS OF AMENDMENTS 



No amendments have been made subsequent to the Final Office Action dated 
March 25,2005. 
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5. SUMMARY OF CLAIMED SUBJECT MATTER 

Appellant describes, and claims in claims 1-24, 26 and 27, systems and methods 
for providing scalable proxy firewall services to computer networks. Appellant notes in 
the Background section of the application that a problem with proxy server-based 
firewalls is that they are difficult to scale as the demand for through-put or resources 
increase. Software-based solutions to facilitate scaling are limited by the existing 
hardware. Hardware-based solutions typically require re-installation and re-configuration 
of the firewall and network topology, a process which is time consuming and expensive. 

To address the problem of scaling, Appellant teaches, and claims in claims 1-24, 

26 and 27, that the firewall system be configured to include a dispatch host computer and 

one or more load host computers. 

It is a feature of the present invention to provide load balancing of 
proxy firewall services. In accordance with the present invention, the 
firewall system can be configured to include a dispatch host computer and 
one or more load host computers. Proxy firewall services can be provided 
by proxy applications that reside on either the dispatch host computer 
and/or the load host computers. In one embodiment, a load host computer 
can be configured to support multiple proxy applications. In other 
embodiments, a load host computer can be dedicated to a single resource 
intensive application. In this framework, a network administrator can 
flexibly decide how to accommodate the demand for proxy firewall 
services. 

Another feature is to provide an easily expandable firewall system. 
A system administrator can add another firewall module into the network 
as network traffic increases to share the load across the firewall modules. 
The firewall module can be added without disrupting ongoing security 
services. The proxy firewall system allows the system administrator to 
incrementally increase the overall proxy firewall service capacity without 
re-installing the firewall. In one embodiment, this feature is enabled 
through the inclusion of a configuration file on the dispatch host computer 
that stores information relating to the load host computers in the firewall 
system. 

Appellant's Specification, paragraphs 19 and 20. 

Appellant describes, and claims in claims 1-9, a number of ways to implement a 
scalable firewall. In the examples shown in Figs. 2A-C, firewall 200A includes a 
dispatch host computer 202(A-C) and one or more load host computers 226. Dispatch 
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host computer 202A is connected to an external network (outside network 208). Each 
load host computers 226 is coupled to the dispatch host computer (202A-C) and, in 
addition, can be connected to one or more application servers (232, 234, 236). 
Specification, paragraphs 21-26, 42 and 43. As claimed in claims 1-9, Appellant teaches 
that a connection from the external network (outside network 208) is received by the 
dispatch host computer (202) and distributed to a particular load host computer based on 
an analysis of the type of protocol of the connection and an analysis of activity across the 
load host computers. Specification, paragraphs 29-33. 

In addition, Appellant teaches in paragraph 29, and claims in claims 2 and 3, that 
a dispatch proxy can be used to listen for connections on multiple ports. 

Appellant also teaches in paragraph 32, and claims in claims 4 and 5, that the load 
host computer can either be limited to a single protocol, or handle multiple protocols. 

Appellant teaches in paragraphs 30-38, and claims in claims 6-8 and 11, that 
information regarding a connection from an external network is communicated between 
the load host computer and the dispatch host computer. In one example embodiment, this 
information is stored in configuration files. 

Appellant describes in Figs. 2A and 2C and paragraphs 27, 43 and 44, and claims 
in claim 9, that the dispatch host computer can provide proxy firewall services. 

Appellant describes, and claims in claims 10-16, a method of providing proxy 
firewall services. In the examples shown in Figs. 2A-C, firewall 200A includes a 
dispatch host computer 202(A-C) and one or more load host computers 226. The load 
host computers are identified (e.g., the method of paragraph 38) and configured to 
provide proxy firewall services (e.g., the method of paragraph 30). Appellant teaches in 
paragraph 29, and claims in claims 2 and 3, that a dispatch proxy operating in a dispatch 
host computer can be used to listen for connections on multiple ports. Once a connection 
has been identified, a local host computer is selected "based on an analysis of the type of 
protocol of said connection and an analysis of activity across the load host computers" 
(e.g., using the methods of paragraph 30 or 41). 

Appellant describes in paragraph 60, illustrates in Fig. 3 and claims in claims 13- 
17, methods for selecting a load host computer for a connection. Appellant describes in 
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Figs. 2 A and 2C and paragraphs 27, 43 and 44, and claims in claim 18, that the dispatch 
host computer can provide proxy firewall services. Appellant describes, and claims in 
claims 19-22, a method of designating a local host computer (e.g., using the methods of 
paragraph 30 or 41). 

Finally, Appellant describes at paragraphs 37-40 r 49 and 50, and claims in claims 
23, 24, 26 and 27, a method of expanding proxy firewall services. As noted at paragraph 

37, the dispatch host computer 202 receives a connection, selects a load host computer 
226 and forwards the connection to the selected load host computer 226. As can be seen 
in Figs. 2A-C, a second host computer can be connected to the dispatch host computer 
and, as noted at paragraph 38, "when a load host is added to the firewall system 200A, 
the newly added load host and the dispatch host 202A communicate with each other." 
The communication results in the update of a configuration file. Once information 
regarding the second load host computer 226 is stored in the configuration file, the 
second load host computer "is available to process forwarded connections from said 
dispatch host computer" as noted in paragraph 40. 

As noted at paragraph 38, and claimed in claims 24 and 26, information from the 
load host computer is used to update the configuration file. Also as noted at paragraph 

38, and claimed in claim 27, connecting includes signaling the dispatch host computer 
upon connection. 
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6. GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

Claims 1-24, 26 and 27 were rejected under 35 USC § 102(e) as being anticipated 
Devine et al. (U.S. Patent No. 6,606,708). 
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7. ARGUMENT 

A) The Applicable Law under 35 U.S.C. §1 02(e) 

A claim is anticipated only if each and every element as set forth in the claim is 
found, either expressly or inherently described, in a single prior art reference. M.P.E.P § 
2131. To anticipate a claim, a reference must disclose every element of the challenged 
claim and enable one skilled in the art to make the anticipating subject matter. PPG 
Industries, Inc. V. Guardian Industries Corp., 75 F.3d 1558, 37 USPQ2d 1618 (Fed. Cir. 
1996). The identical invention must be shown in as complete detail as is contained in the 
claim. Richardson v. Suzuki Motor Co., 868 F.2d 1226, 1236, 9 USPQ2d 1913, 1920 
(Fed. Cir. 1989). Appellant respectfully submits that the Final Office Action did not 
make out a prima facie case of anticipation because Devine does not teach each and 
every claim element arranged as in the claims. 

B) Discussion of the rejection of claims 1-9 under 35 U.S.C. § 102(e) as being 
anticipated by Devine et al. (U.S. Patent No. 6,606,708). 

Claims 1-9 were rejected under 35 USC § 102(e) as being anticipated by Devine 
et al. (U.S. Patent No. 6,606,708, hereinafter "Devine"). This rejection is respectfully 
traversed. Appellant respectfully submits that the Final Office Action has made an 
improper prima facie showing of anticipation at least because Devine fails to teach 
distributing a connection as a function of "an analysis of activity across the load host 
computers" as required by claims 1-9. 

Devine teaches a double firewalled system. As described at col. 9, lines 4 through 
59 and as shown in Figs. 4 and 5, web servers 24 and 52 are placed in a demilitarized 
zone (DMZ). Client devices 10 access the web servers through public internet 15. 
Attempts to access the company intranet pass through a firewall 29a (the first firewall) to 
a dispatcher service and from there are directed through a proxy firewall (the second 
firewall). 
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As can be seen in Fig. 4, and as noted at col. 9, lines 42-44, Devine's network 

architecture may include a variety of application specific proxies associated with Intranet 

application servers. As noted at col. 10, lines 9-16, 

Each of the individual proxies may be maintained on the dispatcher 
server 26, the related application server, or a separate proxy server situated 
between the dispatcher server 26 and the midrange server 40. The relevant 
proxy waits for requests from an application client running on the 
customer's workstation 10 and then services the request, either by handling 
them internally or forwarding them to its associated Intranet application 
server 40. 

Appellant respectfully submits that Devine fails to teach distributing a connection 
as a function of "an analysis of activity across the load host computers" as required by 
claims 1-9. Devine does not perform such an analysis. In fact, Devine teaches away 
from it. Instead of locating proxies to balance the load across the proxy servers and 
rebalance as necessary, Devine suggests that proxies be placed in the dispatch server, on 
the application servers or in a separate proxy server, as noted above. The section cited by 
the Examiner (Column 9, lines 42-59) does not mention such an analysis. Instead, it 
discusses the use of application specific proxies. 

Since Devine does not teach each and every claim element arranged as in the 
claims, the rejection of claims 1-9 is incorrect. Reconsideration and reversal of the 
rejection of claims 1-9 is respectfully requested. 



C) Discussion of the rejection of claims 6-8 under 35 U.S.C. § 102(e) as being 
anticipated by Devine et al. (U.S. Patent No. 6,606,708). 

Claims 6-8 were rejected under 35 USC § 102(e) as being anticipated by Devine 
et al. (U.S. Patent No. 6,606,708, hereinafter "Devine"). This rejection is respectfully 
traversed. Appellant respectfully submits that the Final Office Action has made an 
improper prima facie showing of anticipation at least because Devine fails to teach that 
the load host computer and the dispatch host computer communicate information 
regarding the connection of the load host computer to the computer system as required by 
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claims 6-8. The sections cited by the Examiner (Column 22, lines 6-30 and Column 24, 
lines 7-43) do not mention such an approach. 

Reconsideration and reversal of the rejection of claims 6-8 is respectfully 
requested. 

D) Discussion of the rejection of claims 7 and 8 under 35 U.S.C. § 102(e) as being 
anticipated by Devine et al. (U.S. Patent No. 6,606,708). 

Claims 7 and 8 were rejected under 35 USC § 102(e) as being anticipated by 
Devine et al. (U.S. Patent No. 6,606,708, hereinafter "Devine"). This rejection is 
respectfully traversed. Appellant respectfully submits that the Final Office Action has 
made an improper prima facie showing of anticipation at least because Devine fails to 
teach that the load host computer and the dispatch host computer communicate 
information regarding the connection of the load host computer to the computer system 
and that that information is stored in a configuration file within the dispatch host 
computer as required by claims 7 and 8. The sections cited by the Examiner (Column 23, 
lines 17-47 and Column 24, lines 35-43) describe a load balancing algorithm and a real- 
time monitoring system, respectively, not the use of a configuration file to store load host 
computer information. 

Reconsideration and reversal of the rejection of claims 7 and 8 is respectfully 
requested. 

E) Discussion of the rejection of claims 10-16 under 35 U.S.C. § 102(e) as being 
anticipated by Devine et al. (U.S. Patent No. 6,606,708). 

Claims 10-16 were rejected under 35 USC § 102(e) as being anticipated by 
Devine et al. (U.S. Patent No. 6,606,708, hereinafter "Devine"). This rejection is 
respectfully traversed. Appellant respectfully submits that the Final Office Action has 
made an improper prima facie showing of anticipation at least because Devine fails to 
teach distributing a connection as a function of "an analysis of activity across the load 
host computers" as required by claims 10-16. 

Devine is described above. 
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Appellant respectfully submits that Devine fails to teach distributing a connection 
as a function of "an analysis of activity across the load host computers" as required by 
claims 10-16. Devine does not perform such an analysis. In fact, Devine teaches away 
from it. Instead of locating proxies to balance the load across the proxy servers and 
rebalance as necessary, Devine suggests that proxies be placed in the dispatch server, on 
the application servers or in a separate proxy server, as noted above. The sections cited 
by the Examiner (Column 9, lines 42-59, Column 13, lines 28-59 and column 24, line 66 
through Column 25, line 67) do not mention such an analysis. Instead, they discuss the 
use of application specific proxies, logical messaging between the client and the web 
server and logical messaging between the dispatch server and the application specific 
proxy, respectively. 

Since Devine does not teach each and every claim element arranged as in the 
claims, the rejection of claims 10-16 is incorrect. Reconsideration and reversal of the 
rejection of claims 10-16 is respectfully requested. 

F) Discussion of the rejection of claim 11 under 35 U.S.C. § 102(e) as being 
anticipated by Devine et al. (U.S. Patent No. 6,606,708). 

Claim 1 1 was rejected under 35 USC § 102(e) as being anticipated by Devine et 
al. (U.S. Patent No. 6,606,708, hereinafter "Devine"). This rejection is respectfully 
traversed. Appellant respectfully submits that the Final Office Action has made an 
improper prima facie showing of anticipation at least because Devine fails to teach that 
the load host computer and the dispatch host computer communicate information 
regarding the availability of the load host computer as required by claim 1 1 . Instead, the 
section cited by the Examiner for this teaching describes how application proxies receive 
and respond to requests from an application client. 

Reconsideration and reversal of the rejection of claim 1 1 is respectfully requested. 
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G) Discussion of the rejection of claims 13-16 under 35 U.S.C. § 102(e) as being 
anticipated by Devine et al. (U.S. Patent No. 6,606,708). 

Claim 1 1 was rejected under 35 USC § 102(e) as being anticipated by Devine et 
al. (U.S. Patent No. 6,606,708, hereinafter "Devine"). This rejection is respectfully 
traversed. Appellant respectfully submits that the Final Office Action has made an 
improper prima facie showing of anticipation at least because Devine fails to teach the 
selection of the load host computer based on the factors listed in any of claims 13-16. 
The section cited by the Examiner for this teaching is limited to a description of the web 
server 24 upstream from the dispatch server 26. It does not describe the selection of the 
load host computer based on the factors listed in any of claims 13-16. Reconsideration 
and reversal of the rejection of claims 13-16 is respectfully requested. 



H) Discussion of the rejection of claims 17-22 under 35 U.S.C. § 102(e) as being 
anticipated by Devine et al. (U.S. Patent No. 6,606,708). 

Claims 17-22 were rejected under 35 USC § 102(e) as being anticipated by 
Devine et al. (U.S. Patent No. 6,606,708, hereinafter "Devine"). This rejection is 
respectfully traversed. Appellant respectfully submits that the Final Office Action has 
made an improper prima facie showing of anticipation at least because Devine fails to 
teach "identifying a resource intensive protocol" or "designating a load host computer for 
providing primary support for said resource intensive protocol" as required by claims 17- 
22. The first section cited by the Examiner for teaching "identifying a resource intensive 
protocol" (Column 9, line 42 through Column 10, line 67) simply describes the 
architecture and use of application specific proxies, while the second section (Column 24, 
line 66 through Column 25, line 67 describes how a message passes from a dispatch 
server to an application specific proxy. There is no "identifying a resource intensive 
protocol" as described by Appellant and claimed in claims 17-22. 

The Examiner cites Column 9, line 42 through Column 10, line 67 and Column 
13, line 30 through Column 14, line 37 as teaching "designating a load host computer for 
providing primary support for said resource intensive protocol." The sections cited, 
however, simply describes the architecture and use of application specific proxies and 
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how a message passes from a client browser to an application specific proxy, 
respectively. There is no designating as defined by Appellant and claimed in claims 17- 
22. 

Since Devine does not teach each and every claim element arranged as in the 
claims, the rejection of claims 17-22 is incorrect. Reconsideration and reversal of the 
rejection of claims 17-22 is respectfully requested. 

I) Discussion of the rejection of claim 19 under 35 U.S.C § 102(e) as being 
anticipated by Devine et aL (U.S. Patent No. 6,606,708). 

Claim 19 was rejected under 35 USC § 102(e) as being anticipated by Devine et 
al. (U.S. Patent No. 6,606,708, hereinafter "Devine"). This rejection is respectfully 
traversed. Appellant respectfully submits that the Final Office Action has made an 
improper prima facie showing of anticipation at least because Devine fails to teach 
designating a load host computer by "analyzing activity across a plurality of host 
computers and selecting a load host computer based on the load host computer activity 
analysis" as required by claim 19. Instead, the section cited by the Examiner for this 
teaching simply describes where the application server proxies reside and how requests 
for the proxies are validated. Reconsideration and reversal of the rejection of claim 19 is 
respectfully requested. 



J) Discussion of the rejection of claims 23, 24, 26 and 27 under 35 U.S.C. § 102(e) as 
being anticipated by Devine et al. (U.S. Patent No. 6,606,708). 

Claims 23, 24, 26 and 27 were rejected under 35 USC § 102(e) as being 
anticipated by Devine. This rejection is respectfully traversed. Appellant respectfully 
submits that the Final Office Action has made an improper prima facie showing of 
anticipation at least because Devine fails to teach updating a configuration file on the 
dispatch host computer to reflect the connection of a second load host computer as 
required by claims 23, 24, 26 and 27. The sections cited by the Examiner for this 
teaching instead describe a customer GUI (Column 7, lines 27-37), the DMZ web servers 
(Column 23, lines 17-40) and the use of a first router 55 to route messages from the DMZ 
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web servers to the dispatcher server 26 and a second router 65 to route messages from the 
real time monitoring server 52 to the dispatcher server 26 (Column 24, lines 44-51). 
There is no discussion of how to recognize and configure a new load host computer as 
described by Appellant and claimed in claims 23, 24, 26 and 27. 

Since Devine does not teach each and every claim element arranged as in the 
claims, the rejection of claims 23, 24, 26 and 27 is incorrect. Reconsideration and 
reversal of the rejection of claims 23, 24, 26 and 27 is respectfully requested. 

K) Discussion of the rejection of claim 24 under 35 U.S.C. § 102(e) as being 
anticipated by Devine et al. (U.S. Patent No. 6,606,708). 

Claim 24 was rejected under 35 USC § 102(e) as being anticipated by Devine et 
al. (U.S. Patent No. 6,606,708, hereinafter "Devine"). This rejection is respectfully 
traversed. Appellant respectfully submits that the Final Office Action has made an 
improper prima facie showing of anticipation at least because Devine fails to teach 
communicating information between the newly connected computer and the dispatch host 
computer "regarding the availability of said second load host computer" as required by 
claim 24. The sections cited by the Examiner for this teaching instead describe a 
customer GUI (Column 7, lines 27-37), the DMZ web servers (Column 23, lines 17-40) 
and the use of a first router 55 to route messages from the DMZ web servers to the 
dispatcher server 26 and a second router 65 to route messages from the real time 
monitoring server 52 to the dispatcher server 26 (Column 24, lines 44-51). 

Reconsideration and reversal of the rejection of claim 24 is respectfully requested. 

L) Discussion of the rejection of claim 27 under 35 U.S.C. § 102(e) as being 
anticipated by Devine et al. (U.S. Patent No. 6,606,708). 

Claim 27 was rejected under 35 USC § 102(e) as being anticipated by Devine et 
al. (U.S. Patent No. 6,606,708, hereinafter "Devine"). This rejection is respectfully 
traversed. Appellant respectfully submits that the Final Office Action has made an 
improper prima facie showing of anticipation at least because Devine fails to teach that 
connecting a second load host computer to the dispatch host computer includes signaling 
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the dispatch host computer upon connection as required by claim 27. The section cited 
by the Examiner for this teaching instead describes the use of a first router 55 to route 
messages from the DMZ web servers to the dispatcher server 26 and a second router 65 
to route messages from the real time monitoring server 52 to the dispatcher server 26 
(Column 24, lines 44-51). 

Reconsideration and reversal of the rejection of claim 27 is respectfully requested. 
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8. SUMMARY 

For the reasons argued above, claims 1-24, 26 and 27 were not properly rejected 
under § 102(e) as being unpatentable over Devine et al. 

It is respectfully submitted that the art cited does not render the claim anticipated 
and that the claims are patentable over the cited art. Reversal of the rejection and 
allowance of the pending claim are respectfully requested. 



Respectfully submitted, 
WILLIAM E. DUNCAN et al. 
By their Representatives, 

SCHWEGMAN, LUNDBERG, 
WOESSNER & KLUTH, P. A. 
P.O. Box 2938 
Minneapolis, MN 55402 
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Thomas F. Brennan 
Reg. No. 35,075 
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CLAIMS APPENDIX 

1 . (Rejected) A computer system for providing proxy firewall services for a 
computer network, comprising: 

a dispatch host computer, said dispatch host computer being connectable to an 
external network; and 

at least one load host computer coupled to said dispatch host computer, each load 
host computer configured to provide proxy firewall services and each load host computer 
being connectable to one or more application servers, wherein said connection from the 
external network is distributed from said dispatch host computer to a particular load host 
computer based on an analysis of the type of protocol of the connection and an analysis 
of activity across the load host computers. 

2. (Rejected) The computer system of claim 1, wherein said dispatch host computer 
includes a monitoring element that listens for connections on multiple ports. 

3. (Rejected) The computer system of claim 2, wherein said monitoring element is a 
dispatch proxy. 

4. (Rejected) The computer system of claim 1, wherein said at least one load host 
computer is a protocol specific load host computer. 

5. (Rejected) The computer system of claim 1, wherein said at least one load host 
computer can handle multiple protocols. 

6. (Rejected) The computer system of claim 1, wherein said at least one load host 
computer and said dispatch host computer communicate information regarding the 
connection of said at least one load host computer to the computer system. 

7. (Rejected) The computer system of claim 6, wherein said dispatch host computer 
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includes a configuration file with information relating to any load host computers in the 
computer system. 

8. (Rejected) The computer system of claim 7, wherein upon the connection of 
another load host computer to the computer system, said configuration file is updated to 
reflect the availability of said another load host computer in the computer system. 

9. (Rejected) The computer system of claim 1, wherein said dispatch host computer 
provides proxy firewall services. 

10. (Rejected) A method of providing proxy firewall services for a computer 
network, 

comprising: 

identifying a set of load host computers, each load host computer in said set of 
load host computers being configured to provide proxy firewall services; 

monitoring one or more incoming ports at a dispatch host computer for a 
connection; 

upon identification of said connection, selecting from said set of load host 
computers a load host computer to which said connection should be forwarded based on 
an analysis of the type of protocol of said connection and an analysis of activity across 
the load host computers. 

1 1 . (Rejected) The method of claim 10, wherein said identifying comprises 
communicating information between said dispatch host computer and said load host 
computers relating to the availability of said load host computers. 

12. (Rejected) The method of claim 10, wherein said monitoring comprises 
monitoring for a connection with a dispatch proxy that monitors one or more incoming 
ports on said dispatch host computer simultaneously. 
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13. (Rejected) The method of claim 10, wherein said selecting comprises selecting a 
load host computer based on a round robin load distribution among said load host 
computers. 

14. (Rejected) The method of claim 10, wherein said selecting comprises selecting a 
load host computer based on the availability of the load host computers. 

15. (Rejected) The method of claim 10, wherein said selecting comprises selecting a 
load host computer based on the percentage of the total number of simultaneous proxied 
connections the load host computer can support. 

16. (Rejected) The method of claim 10, wherein said selecting comprises selecting a 
load host computer that can support a resource intensive protocol. 

17. (Rejected) A firewall network resource method comprising: 
identifying a resource intensive protocol; 

designating a load host computer for providing primary support for said resource 
intensive protocol; and 

routing a connection for said resource intensive protocol from a dispatch host 
computer to said designated load host. 

18. (Rejected) The method of claim 17, further comprising: 

processing on the dispatch host computer a connection for at least one protocol 
other than said resource intensive protocol. 

19. (Rejected) The method of claim 17, wherein said designated load host provides 
exclusive support for said resource intensive protocol and wherein designating includes 
analyzing activity across a plurality of host computers and selecting a load host computer 
based on the load host computer activity analysis. 
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20. (Rejected) The method of claim 17, wherein said designated load host is 
dedicated to said resource intensive protocol. 

21. (Rejected) The method of claim 17, further comprising: 
designating another load host for multi-purpose support. 

22. (Rejected) The method of claim 17, wherein said dispatch host computer has 
multi-purpose support. 

23. (Rejected) A method of expanding proxy firewall services for a computer 
network 

compromising: 

receiving a connection at a dispatch host computer; 

selecting a first load host computer to which the connection should be forwarded; 

forwarding said connection to said first load host computer; 

connecting a second load host computer to said dispatch host computer; and 

updating a configuration file on said dispatch host computer to reflect the 
connection of said second load host computer, wherein upon said updating, said second 
load host computer is available to process forwarded connections from said dispatch host 
computer. 

24. (Rejected) The method of claim 23, wherein said updating comprises 
communicating 

information between said dispatch host computer and said second load host computer 
regarding the availability of said second load host computer. 

25. (Canceled) 

26. (Rejected) The method of claim 23, wherein said connecting and said updating 
occur during the provision of proxy firewall services. 
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27. (Rejected) The method of claim 23, wherein said connecting includes signaling 
the dispatch host computer upon connection. 
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EVIDENCE APPENDIX 



None. 
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RELATED PROCEEDINGS APPENDIX 



None. 



